[Container-tools] signing vagrant payload
Lalatendu Mohanty
lmohanty at redhat.com
Mon Feb 29 14:13:42 UTC 2016
On 02/29/2016 07:31 PM, Karanbir Singh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 29/02/16 13:43, Lalatendu Mohanty wrote:
>> On 02/29/2016 06:31 PM, Karanbir Singh wrote: On 29/02/16 12:15,
>> Karanbir Singh wrote:
>>>>> hi,
>>>>>
>>>>> Has there been any work done to see how one might sign and
>>>>> then validate a vagrant box at all ? I'm looking for options
>>>>> and everyone of them seems to require an additional component
>>>>> on the client side ( which might defeat the purpose a bit ).
>> it looks like the ImgFac created box's dont have checksum included
>> in the box. At the moment the box looks like:
>>
>> metadata.json: {"provider": "libvirt", "format": "qcow2",
>> "virtual_size": 41}
>>
>> we should be able to add a sha type and a sum there, so its
>> validated before being instantiated.
>>
>>> +1, thats a good idea. Also we should try notary [1] (saw
>>> someone mentioned in twitter for your question)
>>> [1] https://github.com/docker/notary
> yeha, note that Justin worked on defining that tool set - so might be
> opinionated around its use - we should try it out for sure, but i dont
> think overall this is the place for us to end up at.
>
> I'm also talking to the digicert guys around using code signing certs
> for extended roles like this - will feedback here what comes from that.
>
> Finally, a gpg detached sig, hosted in the box itself ( that signs the
> metadata, which in turn has the sha sums ) might be another route (
> additional route ?) but likely needs a vagrant plugin to do the
> validation.
Agree. This looks like a feature which should be in Vagrant. Also
Vagrant project sometimes merges frequently used plugins to the Vagrant
code. So it is worth a effort.
With the code for gpg stuff if we enable packer for using this, then I
think it will be smother for upstream to accept it.
[1] https://github.com/mitchellh/packer
> - --
> Karanbir Singh, Project Lead, The CentOS Project, London, UK
> Red Hat Ext. 8274455 | DID: 0044 207 009 4455
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (GNU/Linux)
>
> iQEcBAEBAgAGBQJW1E9GAAoJEI3Oi2Mx7xbtF7oH/jHVugP3zh1L7rtBHO4dw+2b
> QqIOhoZEkdpbhjDfFZY18qmHt5C4ieBSiVOqIfjxsxldcfdd39bOpvRACga1woJq
> iLU99VmYN8bwdgdl3Rjcq+NBovkJnVx0otnP/763uF665F/c+IRqBsF7l7TMRuJx
> Cp2vk12gyz6fwXryQfUgZU5zf4QQBWYmMaCWtXQU4bP5YHADFRnnPze33SclkYlc
> fOF0aOoHGbxEnjAn6xIOTG9hluMRT4gM2M10hKwE8h1rptALhNjFT3pSN1hv7byb
> jdK09XRAQr/SfMzd6s5DN5xWyz8SfPdstUjMNACCoxjxI+KRdqojqg2ZlJ2zeA0=
> =Y91P
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Container-tools mailing list
> Container-tools at redhat.com
> https://www.redhat.com/mailman/listinfo/container-tools
More information about the Container-tools
mailing list